PayPal is now offering a free URL redirection service
Written by DP
Sunday, 4 November 2007
Nemessis has discovered a new XSS/URL redirect vulnerability on PayPal.com. You can simply choose your preferable landing URL. This service is revolutionary as there is no need to register on the site. Anyone can use it for free. Phishers can use a bulk e-mailer and include their fake PayPal URL. No all internet users are aware about phishing attacks. It will be pretty easy to be convinced that this is a genuine e-mail from PayPal requesting a verification of your account details. You also feel extra secure knowing that the session is encrypted with 128-bit SSL.
The same parameter (landing_url=) is also vulnerable to cross-site scripting.
Mirror of the PayPal URL redirect vulnerability:
PayPal XSS mirror:
I am expecting to see this vulnerability fixed later today.
Thank you Nemessis for bringing up the issue! ;)
http://www.xssed.com/news/29/The_dangers_of_Redirect_vulnerabilities/ - 29 April 2007